Overview
If your firm provides engineering studies, design, analysis, testing support, or technical services to federal agencies, your task orders, deliverables, schedules, and program correspondence are Federal Contract Information. That triggers FAR 52.204-21 and a CMMC Level 1 self-assessment with an annual SPRS affirmation.
Engineering is one of the services where CUI shows up most often, because design data, drawings, specifications, and reference material on defense systems are frequently marked. When the agency or prime gives you marked CUI to work with, or flows down DFARS 252.204-7012 and sends marked data, that work is Level 2 and needs a controlled environment.
The right move is disciplined scoping per engagement. Plenty of engineering support work involves only FCI and sits at Level 1. The engagements that involve marked technical data are Level 2 and belong in a separate, documented enclave.
Typical contracts you'll see
- Engineering studies, analyses, and design support task orders
- Technical and engineering support services for program offices
- Test, evaluation, and surveying support contracts
- Subcontracts under an engineering or A and E prime
- SBIR and STTR Phase I engineering prototypes
What FCI actually looks like for you
Anything below is Federal Contract Information and triggers FAR 52.204-21. None of it is CUI on its own.
Common pitfalls in this industry
- Assuming all engineering work is Level 2, when plenty of support work is FCI only and sits at Level 1.
- Missing marked CUI in a deliverable package and continuing to run at Level 1, when that work is Level 2.
- Sharing CAD and analysis files on an open network drive, which fails FAR 52.204-21 (b)(1)(iii).
- Letting engineers use personal, unencrypted laptops with no MFA for federal work.
- Publishing technical approaches or program details before the agency clears them, which fails (b)(1)(iv).
- Treating the SPRS affirmation as a one time task instead of an annual obligation.
Your Level 1 action plan
- 01Scope each engagement: FCI only or marked CUI involved. Confirm in writing with the agency or prime.
- 02Keep FCI only engagements at Level 1 and stand up a controlled enclave for any engagement with marked CUI.
- 03Move federal engineering work onto a paid Microsoft 365 or Google Workspace tenant with MFA enforced.
- 04Set CAD, model, and analysis file access to least privilege per project, and give each engineer a named account.
- 05Encrypt every laptop and workstation used for federal work and protect remote access with MFA.
- 06Write a one to two page boundary description: which systems hold federal FCI and how marked CUI work is kept separate.
- 07Run the 15 practice self-assessment, capture evidence, then have a senior official affirm the score in SPRS and set the annual reminder.
Most common NAICS codes
Use these when searching SAM.gov, filing for set-asides, or checking size standards.
- 541330Engineering Services
- 541380Testing Laboratories
- 541370Surveying & Mapping (except Geophysical) Services
- 541360Geophysical Surveying & Mapping Services
- 541715R&D in the Physical, Engineering & Life Sciences
Frequently asked questions
Q.Is engineering support always Level 2 because of technical data?
No. Engineering work is Level 1 when it involves only Federal Contract Information. It becomes Level 2 when the agency or prime gives you marked CUI to work with, or flows down DFARS 252.204-7012 with marked technical data. Many engineering support engagements involve only FCI and stay at Level 1, while specific technical data programs are Level 2.
Q.How do I know if a drawing or spec is CUI?
CUI is explicitly marked. Look for a CUI banner and category markings such as Controlled Technical Information or Export Controlled. Unmarked drawings and specifications produced or received under the contract are FCI. If something should be marked but is not, ask the contracting officer rather than guessing.
Q.Can I keep most of my firm at Level 1 if one contract has CUI?
Yes. Scope the CUI contract into a separate, controlled environment and keep the rest of the firm at Level 1. Document the boundary clearly so a reviewer can see which systems hold CUI and which hold only FCI. Many engineering firms run exactly this split.
Q.Do I need an SSP for the Level 1 part of my work?
No. Level 1 does not require a System Security Plan under 32 CFR Part 170. The Level 2 work does require an SSP and a NIST SP 800-171 assessment. For the Level 1 part you need evidence the 15 practices are met, a short boundary description, and a current list of authorized users.
Related clauses
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD ContractorsThe single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- How to Do CMMC Level 1 Yourself (Free, Complete Guide) — 2026CMMC Level 1 is self-assessed. You don't need a consultant. Here is the entire DIY path, with every template you'll need, written for the small defense contractors actually doing the work.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)Most small defense contractors are Level 1, not Level 2 — but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.
- CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026Treating the whole company as in-scope doubles your work for no compliance benefit. Here's the right way to scope CMMC Level 1.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.